Related content

The Global State of Information Security® Survey 2017

Moving forward with cybersecurity and privacy

Organizations are adopting innovative cybersecurity and privacy safeguards to manage threats and achieve competitive advantages. To do so, they are thinking more broadly about cybersecurity and privacy as both protectors and enablers for the business, third-party partners and customers.

New cybersecurity and privacy safeguards to jumpstart success

This year’s Global State of Information Security® Survey findings explore how organizations around the world are proactively negotiating the increasingly dynamic cybersecurity and privacy landscape. More than 10,000 business and IT executives told us what they are doing—and plan to do in the future—to protect digital assets and create business advantages.

This year, the key findings show that survey respondents are focusing on four areas:

We will take a deeper dive into these four themes in a series of reports that will explore how companies are addressing these trends. The reports will also look at how the trends intersect and create synergies for truly differentiating business advantages

Threat intelligence and information sharing are business-critical

Real-time threat intelligence and contextual awareness of risks are central to detecting, responding to and mitigating cyberthreats. Equally integral is sharing of threat intelligence with business peers, industry groups and government agencies. We will explore how organizations are enhancing threat intelligence and information sharing to create a more proactive, resilient defense.

Digital businesses are adopting new safeguards

Most businesses today are digital, and software is the backbone of operations, products and services. Increasingly, organizations are creating value by integrating cybersecurity and privacy with digital business strategies. Learn how they are synthesizing the cloud with technologies like data analytics and monitoring, authentication and open-source software to create new opportunities.

Securing the potential of the Internet of Things

Despite its myriad promises, the Internet of Things (IoT) is a growing cybersecurity and privacy concern. To address risks, many organizations are proactively updating data-governance policies, assessing devices and technologies, and creating employee training programs. This paper will take a look at how businesses are preparing for the commerce, manufacturing and society of tomorrow.

Proactively addressing geopolitical threats

Geopolitical conflicts have given rise to complex new attacks by nation-states and hacktivists. Many organizations are addressing these threats by deploying offensive tools such as real-time monitoring and analytics, threat-detection and identity management solutions. We examine how they are leveraging these safeguards to better understand and detect risks unique to each geography and industry.

Connecting the dots: A timeline of technologies, threats and regulations that redefined cybersecurity and privacy

This interactive timeline shows how cybersecurity and privacy practices have evolved in line with technology advances, regulations and threats. You can correlate topics by year, category and major milestones, and delve deeper into related original articles, blog posts, videos and PwC thought leadership.

Malware is nothing new: The first PC virus hit more than three decades ago. While early malware was relatively harmless—and sometimes little more than amateurish hijinks—over the years the technical complexity, method of proliferation and destructive capabilities have changed dramatically.

The ways that malware proliferates has evolved alongside technology. The first PC virus, Brain, was identified in 1985 and spread slowly via floppy disk. The game changed with Morris, the first Internet worm that quickly infected thousands of computers in 1988. A decade later, in 1987, viruses that propagate via document sharing were introduced, followed by malware that is spread via email.

Today’s malware is technically sophisticated, difficult to detect and capable of causing physical damage. One of the most notable examples is Stuxnet. This weaponized malware, which disrupted an
Iranian uranium enrichment facility in 2010, was designed to stealthily infiltrate industrial control systems and enable operators to remotely control physical systems. Similarly, in 2014 the Energetic Bear malware affected the industrial control systems of US and European energy companies.

In 2013, the Target Stores data breach spotlighted the risk of attack via the systems of third-party partners. Hackers gained access to the retailers point-of-sale system via a trusted contractor, and over the course a month compromised
110 million customer records. The breach was not without an upside: The attendant publicity helped boost the awareness of cybersecurity risks in the Boardroom.

The sophisticated nation-state attack on Sony Pictures Entertainment in 2014 represented a new level of malice and disruption. The hack exposed sensitive data and communications, significantly disrupted business operations and resulted in last-minute cancellation of a motion picture. It also blurred the lines between cybersecurity attacks and cyberwar.

Not all attacks are accomplished with complex code, however. Phishing schemes and business email compromise are two well-known threats that have been around for (and successful) as long as the first worms, and rely mostly on simple research and social engineering. In fact, phishing was the most-cited vector of compromise among GSISS respondents in 2016.

You might think that sharing of cyberthreat intelligence to improve incident detection and response is this year’s cyberfad. Not really. The Financial Services-Information Sharing and Analysis Center (FS-ISAC) was founded in 1999 and today counts members from more than 6,000 firms around the world.

What is new are a slew of government-backed initiatives to promote information sharing between the private and public sectors. In 2013, for instance, the UK launched the Cyber Security Information Sharing Partnership to promote sharing of cyberthreat and vulnerability information among businesses. The next year, the US National Institute of Standards and Technology (NIST) published its NIST Cybersecurity Framework, which heavily emphasizes the importance of information sharing between government and industry.

In 2015, US President Barack Obama signed Executive Order 13691, an initiative that promotes sharing of cybersecurity threat intelligence among private-sector companies. The Executive Order also called on businesses and government to create Information Sharing and Analysis Organizations (ISAOs). These new organizations, unlike ISACs, are not industry-specific and can be based on a region or even a response to a specific threat.

Later in the year, the US voted in the 2015 Cybersecurity Information Sharing Act (CISA), a federal law that provides a framework for sharing cyberthreat information between industry and government. In the European Union, the newly approved General Data Protection Regulation (GDPR) will require that member nations participate in a cybersecurity information-sharing group and establish Computer Security Incident Response Teams to promote swift operational cooperation. Most recently, Japan created a Personal Information Protection Commission to act as a supervisory body on privacy protection and to help businesses understand the impacts of the GDPR.

Whether by legislation or individual initiative, the sharing of cybersecurity intelligence can provide an additional layer of knowledge and support in detecting and responding to incidents. But information sharing will not achieve its potential if government agencies, businesses and other stakeholders do not proactively take action and commit to collaborate.

When cellular phones took off in the early 1990s, they were used exclusively for phone calls. That changed as smartphones and tablet computers were developed and mobile operating systems and apps enabled devices to deliver a rich computing experience.

These technologies set the stage for one of the biggest moments in mobility: On January 9, 2007, Apple announced its
first iPhone. The iPhone was an entirely new breed of mobile device that integrated new functionalities and services through mobile apps. A decade later, smartphones are the go-to device for email, instant messaging, online banking, snapping photos, social media, shopping and more. In the workplace, businesses have gradually adopted smartphones and tablets to enhance employee processes and productivity. In doing so, they have redefined whefirst iPhonen, where and how work is done.

As use of mobile devices surges, so too do cybersecurity risks. In part, that’s because mobile devices use a range of communications interfaces—such as cellular, Wi-Fi, Bluetooth, GPS and Near Field Communication—that expose more surface areas to attack. In addition, mobile devices present an increased opportunity for data loss and exposure, aggravated by the fact that they are more easily stolen or lost than desktop computers and servers. And mobile devices are also subject to specialized malware and phishing attacks.

It’s not surprising, then, that the number of GSISS respondents who reported compromise of a mobile device increased by 76% from 2009 to 2016. To address these risks, 54% of this year’s GSISS respondents said they have implemented a mobile security strategy, while 47% (in 2014) said they use Mobile Device Management software. In addition to technology solutions, mobile device security also will require ongoing employee training to reduce cybersecurity incidents that result from user carelessness or lack of awareness.

As cybersecurity incidents multiply in frequency and destructive power, the Chief Information Security Officer (CISO) has become increasingly pivotal to business success. And the stature of the CISO will continue to rise as businesses are digitized and dependent on effective cybersecurity.

A decade ago, only 32% of GSISS respondents had a CISO in charge of information security; in 2016, more than half (53%) said they have hired a CISO. But this year’s CISO will probably not resemble his or her 2007 counterpart. In the past, CISOs typically rose through the ranks of IT and relied on technical skills to manage cybersecurity. They tended to be siloed in IT, and typically were not attuned to the business objectives and strategies of the overall organization.

As companies recognize that cybersecurity is an enterprise-wide risk issue—not an IT responsibility—the CISO’s responsibilities and competencies have become increasingly business focused. Today’s CISOs are held accountable for risks and are expected to deliver a minimum information security posture across the organization. They also should be prepared to help C-suite executives and the Board understand that managing cyberthreats is just as important as managing operational, legal, financial and compliance risks.

Increasingly, CISOs are senior business managers who have expertise not only in cybersecurity but also risk management, corporate governance and overall business objectives. They have access to—and the confidence of—key executives to provide insight into cybersecurity risks in a language that the C-suite and Board understands.

This level of accountability is more likely to be achieved when the top security leader reports to a corporate officer who has broad oversight of both risk and strategy, preferably the CEO or other C-suite executives. GSISS research shows that most CISOs report directly to the CEO, followed by the CIO and Board.

These factors galvanized US credit card issuers to announce in 2012 migration roadmaps to the EMV payment card standard, which will replace magnetic-swipe cards. Card issuers set a deadline of October 2015 for most US retailers.

The years after the announcement of the EMV road map certainly supported the need for more secure card payment systems. In 2013 and 2014, breaches at Target Stores (110 million customer records), Neiman Marcus (payment card information of
350,000 customers) and Home Depot (56 million payment card records) galvanized support for adoption of the EMV standard.

Despite the rise of mega-breaches and industry support for EMV, by 2016 only 20% of GSISS US retail and consumer respondents said they had implemented EMV capabilities. US merchants that have not deployed EMV should take action now to assess the liability risk compared with the cost and impact of implementation. It’s also important to factor in customer trust in charting a road map for EMV deployment.

Industry findings

“We’re seeing more and more that cybersecurity can actually become a remarkable way to help a company innovate and move faster. In certain kinds of digital innovation, the security considerations, controls and capabilities, alongside a frictionless means of authentication, are essential to the design and development of these new products and services.”